验证来自其他域的iframe发布请求

I need to create a click to call widget(using iframe). clients will add the widget on their websites. iframe will have an input box where some customer of the client will enter their mobile number and when customer clicks on submit button a request will be made to our server directly from the customer's browser. How we can identify that a request was made from a valid website? Is there any way to hack this post request? Also is there any better way?

Screenshot of widget:

To clarify, the widget will be on other domain and post request will be sent directly to our server.

The detection could be done server side. For example, with php

$origin = $_SERVER['HTTP_REFERER'];

in your destination script, gives you the originating domain. You can validate with that.

Hope this helps. Cheers

you can set the Access-Control-Allow-Origin header on your server headers and specify the exact domains, to allow them to send requests from their browsers like this:

Access-Control-Allow-Origin: http://domain1.com http://domain2.com

check this link for more info.

the other way is to read the Origin header from the client then check it if it is one of the list of allowed domains, and if it is, write the response and set the Access-Control-Allow-Origin header.